Documentation

Policies: introduction

Posted December 4th, 2007 by sean

Introduction

A key improvement in FreeNAC version 3.0 is the introduction of an OO (objected oriented) policy interface, which provides greater flexibility and encapsulation of individual decisions regarding control of end-device access to the network.

The policy file allows the system administrator with light PHP skills to modify the decision process.

Policy 'objects'

Policy objects included with FreeNAC can be inherited and extended for site-specific usage, or replaced or removed. This flexibility should make customising and creation of add-on modules easier.

FreeNAC allows all properties of end-devices, ports and switches to be used in the policy decision. Sample policy files are provided covering typical scenarios, but the aim is to allow the flexibility to develop very specific custom policies, without changing the core software.

Pre- and post-connect phases

There is a pre-connect and post-connect phase, and policy decisions can be taken in either.

The 'pre-connect phase' is when a device is recognised by the switch and authentication is requests. This phase needs to be fast, since it is in real time - the end-user is waiting for LAN access. The result is a vlan and health status being assigned, or access being denied. vmpsd_external is the module that currently handles pre-connect.

During the post-connect phase, and end-device has already gone through pre-connect and been allowed access and granted a vlan, or denied. When pre-connect does this, the decision taken is logged. The post-connection constantly monitors messages from pre-connect, analyses and takes actions based on those messages. Post-connect does not need to be in real time (although it should be as fast as possible too). Examples of post-connect are update the 'last seen' status of devices and ports, checking for unknown end-devices in a remote database, perhaps looking up patch/anti-virus status (if these are too slow during pre-connect, or are only going to generate warning, not quarantine a system).postconnect.php is the module that handles post-connect, it receives messages from pre-connect via syslog.

End-device 'health'

The notion of 'health' has been introduced in version 3 also.

This allows quarantining/notificatiion of end-devices which do not meet the policy.

Initially there is one module that uses this new health feature, the port scan module: let's say that you know that a trojan opens the port 666 and if there is a system which is connecting to your network and its port 666 is open, you can decide what to do with it (notify, quarantine, kill it, etc).

The WSUS and EPO modules make the Windows Patch and McAfee Anti-virus status available within FreeNAC. The patch/anti-virus status can be seen in the Windows GUI. The policy health checking using these modules in still in beta status, example policies will be published in the coming weeks.